Not quite
I took NT1.JPG and found several occurances of FF D9.
If I blindly truncate everything after the first occurance, I do wind
up with a seemingly normal froggie image with a file length of 886
bytes. If I use the Irfan Save method I get a file length of 1,634
bytes.
It's interesting that when I use the Irfan Save method on the 886
byte file, the result is a 1,634 byte file ... the same length
resulting from using the Irfan Save method on the original.
To add a little more info, I found that all four files have the same
identical characteristic in that truncating them just after the first
occurance of FF D9 results in a 886 byte froggie which Irfan "thinks"
is a legit JPG file. By four files, I mean in addition to NT1, 2, 3
I'm including WINLOGON.JPG. In this latter file I found only one
occurance of FF D9 and that's probably the file Jim was looking
at.
I looked at a few ordinary or normal JPG files and they have
FF D9 at the actual EOF while none of the Trojaned files do,
so that suggests a simple heuristic for sorting and continuing to
look further only if no FF D9 exists at the actual EOF. Thus a
scrubber specifically aimed at these types of Trojaned files wouldn't
have to touch normal files at all. I too now wonder if it might turn
out to be very simple. What would be the danger in using a
simple agorithm that sorts JPGs on the basis of requiring FF D9 at
actual EOF and if not, truncate everything after the first
occurance of FF D9? Or maybe just delete all such files
and not bother to truncate them at all? Or leave the decision
up to the user?
Makes me wonder why more av aren't using a such a simple heuristic
to at least flag these files as suspicious.
Art
http://home.epix.net/~artnpeg